From mboxrd@z Thu Jan  1 00:00:00 1970
From: valentin.haenel at gmx.de (Valentin Haenel)
Date: Mon, 29 Oct 2012 13:38:18 +0100
Subject: [PATCHv2 2/3] Add ability to authorize viewing a repository
In-Reply-To: <CAHmME9pLPBK0wM4aW=cr3fJ6aHHwMnw2vQnnNznajJ0zcXBB2A@mail.gmail.com>
References: <1350378927-10834-1-git-send-email-valentin.haenel@gmx.de>
 <1350894558-24840-2-git-send-email-valentin.haenel@gmx.de>
 <k6i03d$mp0$3@ger.gmane.org>
 <CAHmME9pLPBK0wM4aW=cr3fJ6aHHwMnw2vQnnNznajJ0zcXBB2A@mail.gmail.com>
Message-ID: <20121029123817.GF17370@kudu.in-berlin.de>

* Jason A. Donenfeld <Jason at zx2c4.com> [2012-10-28]:
> On Sat, Oct 27, 2012 at 7:00 PM, Ben Boeckel <mathstuf at gmail.com> wrote:
> >> +             cgit_print_error(fmt("Authorization failed for repo: '%s' and user: '%s'",
> >> +                                     ctx->repo->name, ctx->env.remote_user));
> 
> XSS.

Would it be enough to use 'html_txt' from html.c:

http://git.zx2c4.com/cgit/tree/html.c#n92

to prevent this?

V-